Btpro-Penetration Testing Service

1. PENETRATION TESTING SERVICES BTPRO Bilgi Teknolojileri A.S Office: +90 216 3840986 / Fax: +90 216 3840986 19 Mayis Mah. Sumer Sok. A4/11 Kozyatagi ISTANBUL Mobil Çözümler | Siber Güvenlik | E-Devlet Çözümleri

2. BTPRO Bilgi Teknolojileri A.Ş. 8 Haziran 2015 Pentest Services Presenter: Mesut TÜRK mesut.turk@btpro.net

3. Agenda • What is a Pentest? • Why should you perform pentesting? • What are the benefits of Pentesting? • How are Pentests performed? • What are the targets of a pentest? • Attacker profiles in a pentest • When to perform a pentest? • Reporting • Evaluation • Verification tests Pentest Service 3

4. • A pentest is a set of authorized cyber attacks, in order to discover and verify the vulnerabilities of an information system. • In a typical pentest session, vulnerabilities are carefully exploited. – Customer will be informed of all steps. – Tests will be performed against all systems of the customer. What is a Pentest? 4

5. • Depicting the current security level of a company • Identifying the gaps, and security consciousness of both systems and human resources against possible breaches. • Pentests find out; How big and what sensitive information will be lost in case of a cyber attack. Why to perform a Pen-test? 5

6. • Independent IT-Security Institute reports around 150,000 malwares were produced , in 2014. • AV-TEST Institute reports 390,000 new malwares every day. • Kaspersky LAB reports that; – 6,167,233,068 malwares were found in year 2014. – 1,432,660,467 mobile attacks were discovered in 2014. – Among the surveyed companies involved in E-Business; half of them have suffered losses because of cyber attacks. • Different attack types and methods are discovered each day. Why to perform a Pen-test 6

7. • Carbanak: A cyber gang with financial motives Have stolen 1 billion US Dollars (using malware and remotely) in 30 different countries. • Sony: A no pity cyber attack, causing a big reputation loss by company. • HSBC Turkey: November, 2014: 2.7 million card info was stolen International Cyber Security Incidents-2014 7

8. • Vulnerabilites of an information system are exposed. • Facilitates the analysis of genuine risks. • Helps sustain Business Continuity • Decreases the possibility of real attacks • Protects staff, customers and business partners • Helps to be compliant with – ISO27001 – PCI DSS • Increases know-how and facilitates analysis for real attacks. • Preserves company reputation What are the benefits of a Pen-test? 8

9. • Determining the Scope – Web App pentest – End user and social engineering attacks – Ddos and performance tests – Network infrastructure tests – External and Internal network tests – Mobile App pentest – Virtualization system pentest – Database pentest How is Pentest performed? 9

10. Pentest Scope 10

11. • Performing the Test – Information gathering – Analysis and plan – Discovering vulnerabilities – Exploitation – Gaining access – Privilege Escalation – Analysis and Reporting – Post-Fix Verification How is Pentest performed? 11 ★ Our Pentest reports cover each and only relevant (that is potentially causing a risk) risk information. ★ We never deliver auto-scan results to the customer, and we employ and encourage our staff in specific fields of pentesting. ★ We are a team composed of web pentesters, scada tester, ddos expert, network pentesters, social engineer and wireless pentester.

12. • Following domains are tested against possibility for information leakage and system malfunction; • Mistakes/Shortcomings in application development • Configuration errors • Security awareness of staff • System protection level • Infrastructure security level • Insecure certificate usage • Patch level of Applications • Patch level of Operating Systems are tested and observed in order to identify the security level of the determined scope. Target systems in a pentest 12

13. • External Network test profiles – Normal user with no insider information – Unauthorized user with insider information – Authorized user with insider information – Admin user with insider information • Internal network test profiles – Unauthorized user – Employee profile • Unhappy employee profile • Disgruntled employee profile – Manager profile Attacker profiles in a pentest 13

14. • Critical terms for the industry and the company • Before and After corporate milestones. • Hiring/Firing critical personnel • The weak system • The strong system When to perform a pentest 14

15. • At least once a year • After system change & new system deployments • After new system integrations. How often are Pentests performed? 15

16. • All findings during the pentest are analyed, verified and reported. • A detailed explanation of findings, with solution recommendation and steps to resolve are submitted in the report. • Findings are categorized. Findings by category, findings by severity are statistically graphed in the reports. Reporting 16

17. • A sample finding. Reporting 17

18. Security re-evaluation of the company 18 • An executive summary report is delivered to the executives, which shows the general security evaluation of the company. • A project closure meeting will be organized to discuss the report.

19. • After a detailed explanation of findings and delivery of final report, the company is expected to close the gaps. • After the gap-closure, a time frame is determined by both parties for verification tests. • Findings in the report are reevaluated in the verification tests. Verification Tests 19

20. QUESTIONS ? 20

21. THANKS... 21

Btpro-Penetration Testing Service

Btpro-Penetration Testing Service

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(6)

Similar to Btpro-Penetration Testing Service

Similar to Btpro-Penetration Testing Service(20)

Recently uploaded

Recently uploaded(20)

Btpro-Penetration Testing Service